The cost scenario sounds familiar, would a company want to spend money up front on a solution or would they rather pay later. The survey said if there are security gaps, the breach can be quite costly.

Organizations that invested in stronger defenses and trained its employees to be more self-conscious were in a better position to stop or survive attacks, Symantec found in its Endpoint Protection Best Practices survey.

The “top tier” organizations in the survey were 2.5 times less likely to experience a major cyber attack, and 3.5 times less likely to experience downtime compared to other enterprises, said Jason Nadeau, director of product management.

Symantec surveyed 1,425 professionals working in IT, of which one-third were C-level executives. Each respondent earned a score based on their responses to what kind of protections the organization had deployed. Top tier refers to respondents that scored in top 33 percent, Nadeau said. The survey did not ask specific questions about what security products they deployed, but focused on category types.

“The traditional endpoint security tool – antivirus software – is no longer effective on a stand-alone basis,” researchers said, adding, “The organizations that had deployed more comprehensive security technologies and practices were better prepared and better able to thwart attacks.”

Organizations with higher scores reported using various layers to protect their assets, including data loss prevention, intrusion prevention and detection systems, anti-malware and firewalls. It also included patch management and maintenance. Nearly all of the organizations in this group reported conducting awareness training for staff. Top-ranked organizations invested in tools to prevent unauthorized copying of data to and from peripheral devices such as USB drives, deployed safeguards including encryption, access control and reputation-based security.

The policies and practices of the top tier responders contrasted “sharply” to those who ranked in the bottom tier, the report said.

Less than half of the organizations in the bottom group reported being current with all operating system and application updates, and roughly half had considered encryption, access control, data loss prevention and reputation-based security technologies. Only a fifth of their physical assets, including desktops, laptops and mobile devices, have virus and spyware protection, and only a tenth of virtual systems had protection.

The bottom tier organizations did not train employees on security best practices as often. These organizations were likely to suffer heavier losses after a successful cyber attack, the report found.

Regardless of their ranking on the list, organizations were not immune from cyber attacks and still experienced downtime and losses when protections failed. About 53 percent of the survey participants said in the case of a cyber incident, the organization suffered lost productivity and labor costs for the IT staff to resolve issues, revenue loss, lost data and brand damage.

Cyber incidents cost organizations $558,000 in revenue losses, $480,831 in brand damage, $366,301 due to compliance fines, and $174,309 in lost productivity, the survey found.